Notification Matters – Part 2

By Laura L. Hale

If you’ve read my prior post, Notification Matters Part 1, you already know that there are many components to the notifications required by the Breach Notification Rule. I explored three of these components (listed below) in that post and will explore the remaining components in this post.

Notification Components

This post explores components 4 – 7.

1. Discovery
2. Timeliness
3. Content
4. Actual notice
5. Substitute notice
6. Notification to the media
7. Notification to the Secretary

Actual Notice

The Secretary has specified relatively straightforward requirements for the notice. Covered entities must provide notice to affected individuals in writing at the last known address via first class mail. In the event that the affected individual is a minor or otherwise lacks capacity, notice may be provided to a parent or other personal representative.

The Breach Notification Rule addresses deceased patients as well. Although the language in the HITECH Act requires that notification go to a deceased person’s next of kin, the interim final rule allows for notification to either the next of kin or personal representative, in conformance with the Privacy Rule. Commenters reading the proposed rule were concerned with this provision, so the preamble addresses those concerns. The notice need go to the next of kin or personal representative of a deceased person only if 1) the covered entity knows that the person is deceased and 2) has the address of the next of kin or personal representative.

The Interim Final Rule allows for notice to be provided via email if 1) the individual agrees to receive notice via email and 2) such agreement has not been withdrawn. The preamble doesn’t expound on this in any great detail, but I think it’s safe to say that a covered entity would need to solicit this agreement specifically and implement a method of handling revocations of the agreement.

Substitute Notice

The preamble addresses those situations in which the covered entity doesn’t have sufficient contact information or those in which the first class mail notification is returned as undeliverable. In these instances a covered entity may provide substitute notice. The keys to this substitute notice are that 1) it is provided as soon as reasonably possible, 2) it is calculated to reach the affected individuals and 3) it contains all of the elements of the original written notice.

If there are fewer than 10 individuals for whom substitute notice is required, the covered entity can use alternate contact information, such as an email address (regardless of whether an email notification agreement is in place) or phone number. The preamble urges caution about leaving sensitive information in voice mail messages and encourages instead a message that urges the affected individual to return the call for urgent information. Take note for routine voice mail messages as well!

If alternate contact information is not available the covered entity can provide substitute notice in the form of a conspicuous posting on the entity’s website or other location. The key is that the notice is calculated to reach affected individuals. (Note that substitute notice is not required for deceased individuals when the next of kin’s contact information is outdated.)

If there are 10 or more affected individuals for whom substitute notice is required, the covered entity must provide substitute notice in the form of a conspicuous posting for a period of 90 days either 1) on the entity’s website or 2) in major print or broadcast media in the geographic areas where those individuals affected by the breach are likely to reside.

For media notices, the notice must include a toll-free number, active for at least 90 days, at which affected individuals can receive more information. The media outlets chosen must be “major print or broadcast media in the geographic areas in which affected individuals are calculated to reside.” This is an easy decision in major metropolitan areas, but not so much in rural areas. The key is the prominence of that outlet in that geographic area. A prominent county-wide newspaper may be the answer in certain rural areas.

For web notices, the preamble clarifies that the “home page” is defined as both 1) the home page for visitors to the website and 2) the login or landing page for existing account holders.

The home page can provide the required information directly or contain a hyperlink to another page that provides the information. The hyperlink must be 1) prominent in size, color and font (relative to other content) and 2) worded in a way that is both clear in the nature of the information and its importance.

Media Notification

If a breach affects 500 or more residents of a single state or jurisdiction, the covered entity is required to provide notice to prominent media outlets serving the state or jurisdiction in which affected individuals reside. This is not the same as providing notice to individuals through the media; this is truly notice of the breach provided to the media and is intended to supplement notice to the individual.

The timeframe for this notice is the same as that to individuals – without unreasonable delay and in no case more than 60 days after discovery of the breach. The form of the notice is not specified, although the preamble speculates that most covered entities would use a standard press release format. The content of the notice is the same as that provided to the affected individuals.

The preamble clarifies both “prominent” and “state or jurisdiction”. A prominent media outlet is one that will reach the audience intended; special interest outlets, such as sports publications, would not be considered prominent. The state definition is that from the HIPAA Rules, which is the 50 states, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands and Guam; the HITECH Act also added American Samoa and Northern Mariana Islands. Jurisdiction is any subdivision of a state, such as a county or city.

The state or jurisdiction issue is important in determining whether media notice is required. The preamble clarifies that a breach affecting 600 individuals residing in different states (e.g., 400 in one state and 200 in another) does not trigger the media notification requirement.

Secretary Notice

Covered entities must notify the Secretary in all instances of breach; the format and timing of the notice vary based on the number of affected individuals.

When a breach involves 500 or more affected individuals the covered entity must provide notice to the Secretary concurrent with notice to the individual. The instructions for this notification are specified on the Secretary’s website and can be found at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/brinstruction.html.

When a breach involves fewer than 500 affected individuals the covered entity may log the breach and notify the Secretary in an annual filing. The instructions for this notification can be found at the same hyperlink above.

No need to worry about mastering two distinct formats for reporting to the Secretary, as the form is identical for both situations.

The preamble clarifies that this notification requirement is determined without regard to the state or jurisdiction in which the affected individuals reside. Accordingly, a breach involving 600 individuals residing in two states (400 in one state and 200 in another – see example above) will not trigger media notification but nonetheless requires concurrent notification to the Secretary.

Conclusion

As you can see, notification really matters. This cannot be approached casually; there are forms to follow, timing to consider and documentation to create. The wise practice administrator will develop a high level of familiarity with this process now so that response to a breach can be thoughtful, timely and compliant with the Breach Notification Rule. I’ll repeat the action items from my last post as a reminder for each of you to act now.

1.            Revise your definition of persons included in your compliance training. Your programs should already consider certain non-employees as members of your workforce, but you should also consider the role of agents who have access to PHI.

2.            Train the workforce and your agents on the importance of reporting noncompliance with your privacy and security policies.

3.            Provide easily accessible methods of reporting compliance issues to increase the odds that the members of your workforce and your agents will feel comfortable making reports of suspected noncompliance.

4.            Establish monitoring routines to increase the likelihood that you will discover an unreported issue.

5.            Determine who will head the investigation and how; specifically address whether the investigation will be conducted under attorney-client privilege and how that protection will be maintained.

6.            Seek local legal guidance, which is particularly important to factor in the impact of any state breach notifications and to ensure that mitigation efforts include a risk assessment , a topic that is beyond the scope of this blog entry.

7.            Establish responsibility for managing a breach notification situation and for ensuring timely investigation and notification.

8.            Establish communication channels to keep affected persons informed, which includes managing the email addresses and toll-free phone lines set up to take affected persons’ inquiries.

References

1. Breach Notification for Unsecured Protected Health Information; Interim Final Rule. Published August 24, 2009 at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
2. U.S. Department of Health and Human Services Health Information Privacy web site: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html

Notification Matters – Part 1

By Laura L. Hale

The Federal Breach Notification Rule is all about the notification provision – or is it? My earlier posts on this topic explored how this is the first rule that emanated from the HITECH Act. (Since then the Secretary has issued an interim final rule (October 30, 2009) revising the HIPAA enforcement provisions as required by the HITECH Act, which I’ll discuss in subsequent posts.) I’ve already written about the need to secure PHI and the methods to do so. This post will start the topic of the notifications required by the interim final rule; I will conclude this topic in the next post.

Notification Components

This post explores components 1 – 3 below. The next post will continue with components 4 – 7.

1. Discovery
2. Timeliness
3. Content
4. Actual notice
5. Substitute notice
6. Notification to the media
7. Notification to the Secretary

General Rule

A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.[i]

Discovery

I treat this as a separate component because of the impact it has on a compliance program. The interim final rule specifies that a breach is treated as discovered as of the first day that a breach is known to a covered entity, or would have been known if it had exercised “reasonable diligence”.  This mouthful of words is one of the most troublesome for a provider’s compliance program and the one that practice administrators need to address immediately.

Let’s first explore the concept of who can “know” about the breach. A covered entity is deemed to have knowledge of a breach as of the first day that a member of its workforce or its agent knows about the breach. An exception to the covered entity’s deemed knowledge of a breach is when that knowing workforce member or agent is the perpetrator of the breach.

As you’ll recall from early HIPAA Privacy Rule implementation days, a member of the workforce includes both employees and nonemployees working under the covered entity’s direction. The official definition is:

Workforce means employees, volunteers, trainees, and other persons whose conduct, in the performance of work for a covered entity, is under the direct control of such entity, whether or not they are paid by the covered entity.[ii]

The interim final rule clarifies the addition of agents to the mix by stating that the federal rules of agency apply in determining who is an agent of the covered entity. The preamble explains that this clarification is consistent with the HIPAA Enforcement Rule in determining agency liability. Further examination of the impact of the federal rules of agency is beyond the scope of this post.

The preamble highlights the importance of the term “reasonable diligence”, which the Secretary has used to modify the statutory language of the HITECH Act. It defines the term as ‘‘business care and prudence expected from a person seeking to satisfy a legal requirement under similar circumstances.’’ This clarification highlights the need to implement privacy and security monitoring, if it’s not already in place.

If you need more convincing to implement a robust compliance program, including monitoring programs, consider this statement in the preamble: “…it is important for such entities to implement reasonable systems for discovery of breaches.”[iii] If that doesn’t do it, then consider this statement: “…covered entities should ensure their workforce members and other agents are adequately trained and aware of the importance of timely reporting or privacy and security incidents and of the consequences of failing to do so.”[iv]

Timeliness

Once a breach is known to the covered entity, it has 60 calendar days in which to notify an individual of this breach. In the previous section we explored the issue of deemed knowledge of the breach; a covered entity is deemed to have that knowledge if it knows of the breach or should have known of the breach, or a member of the workforce or an agent knows of the breach. So, the 60-day clock can start without a person of authority having any real knowledge of the breach. Further, absent the methodology to discover a breach or the workforce training in place that may lead to a breach being reported, the 60-day clock can expire before the practice can even contemplate compliance with the rule.

The 60-day clock is designed to allow the covered entity sufficient time to investigate the breach and provide the affected patients with “meaningful notice…about what happened.” Taking longer than 60-days to provide the notice will, in the Secretary’s opinion, increase the risk of the harm to the individual and decrease their ability to protect themselves from harm.

The preamble is also very clear that the 60-day clock is not to be abused. Notice must be provided without unreasonable delay; a delay in completing the investigation does not offer any excuse. Further, the preamble clearly states that a covered entity that possesses all of the knowledge to send the notice on day 10 but waits until day 60 has caused an unreasonable delay. The Secretary offers that a covered entity can send multiple notices to the individual as information becomes available. The key is to conduct a swift and thorough investigation to 1) determine if a breach has occurred and 2) provide notice without unreasonable delay.

Content

The interim final rule lists the elements required in the notification as:

1. A brief description of what happened, including the date of the breach and the date of the discovery, if known.
2. A description of the types of unsecured PHI involved in the breach. The interim final rule is very clear in noting that the notice should not enumerate the actual data that was breached, just a description of it. This is to minimize the chance that the data could be further compromised by its inclusion in the notice.
3. Any steps individuals should take to protect themselves from potential harm related to the breach. This could include advice to seek credit monitoring services, if credit card data were compromised, or information about how to contact the credit card company and initiate protections in that way.
4. A brief description of what the covered entity is doing to investigate, mitigate and protect against further breaches. This can include steps that the covered entity is taking to increase security, retrieve the information or sanction the workforce member(s) involved.
5. Contact procedures to ask questions and learn more information. This must include a toll-free number, an email address, a web site URL or a postal address.

The interim final rule requires that the notice be written in plain language, described in the preamble as:

1. Written at an appropriate reading level;
2. Using clear language and syntax; and,
3. Not including extraneous material that might diminish the message.

Further, if the covered entity is governed by other rules, the notice must conform to those rules as well. Specifically, if the covered entity is governed by Title VI of the Civil Rights Act of 1964, then it must consider Limited English Proficiency persons and ensure reasonable access of those persons to the information in the notice, which may include translating it into other languages. Similarly, if the covered entity is governed by the Section 504 of the Rehabilitation Act of 1973 or the Americans with Disabilities Act of 1990, it must ensure effective communications, such as making the communications in Braille.

Action Items for Practice Administrators

1. Revise your definition of persons included in your compliance training. Your programs should already consider certain non-employees as members of your workforce, but you should also consider the role of agents who have access to PHI.
2. Train the workforce and your agents on the importance of reporting noncompliance with your privacy and security policies.
3. Provide easily accessible methods of reporting compliance issues to increase the odds that the members of your workforce and your agents will feel comfortable making reports of suspected noncompliance.
4. Establish monitoring routines to increase the likelihood that you will discover an unreported issue.
5. Determine who will head the investigation and how; specifically address whether the investigation will be conducted under attorney-client privilege and how that protection will be maintained.
6. Seek local legal guidance, which is particularly important to factor in the impact of any state breach notifications and to ensure that mitigation efforts include a risk assessment[v], a topic that is beyond the scope of this blog entry.
7. Establish responsibility for managing a breach notification situation and for ensuring timely investigation and notification.
8. Establish communication channels to keep affected persons informed, which includes managing the email addresses and toll-free phone lines set up to take affected persons’ inquiries.

---

[i] Breach Notification for Unsecured Protected Health Information; Interim Final Rule. Published August 24, 2009 at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf

 

[ii] 45 CFR 160.103 found at http://edocket.access.gpo.gov/cfr_2007/octqtr/pdf/45cfr160.103.pdf

[iii] 74 Federal Register page 42749

[iv] Ibid.

[v] Epstein Becker & Green Client Alert: The New HIPAA Breach Notification Rules: A Guide for Covered Entities and Business Associates to the Breach Reporting Obligations under the HITECH Act and HHS Regulations. August 27, 2009 at http://www.ebglaw.com/showclientalert.aspx?Show=11683

HHS Guidance to Protect Digital and Analog PHI

By Laura L. Hale

The referenced guidance is contained in the Breach Notification for Unsecured Protected Health Information; Interim Final Rule. It consumes about one and one-half pages of this 32-page document, yet carries a disproportionately big punch. This post will concentrate on the importance of this small slice of a very powerful document.

My two previous posts have been on related topics and may be read to establish a working understanding of the HITECH Act. My first post introduced the HITECH Act and talked about the origins of this guidance. I addressed one aspect of the notification requirement in the second post, namely the analysis required to determine if a breach has occurred and what steps to take after that.

The Secretary’s Guidance

The Secretary reiterates and further defines the original guidance issued April 17, 2009, and does so in the preamble of the Interim Final Rule for breach notification. This section is short but powerful, addressing commenter concerns and giving us all a glimpse into the Secretary’s thought process.

The guidance states that PHI is “rendered unusable, unreadable or indecipherable to unauthorized users if it is encrypted or destroyed.” How did this change the HIPAA Security Rule? What about destruction as a viable alternative? Surely it couldn’t be that easy….

Encryption

The HIPAA Security Rule allows covered entities some flexibility to determine how best to prevent unauthorized access to electronic PHI (ePHI). Although encryption is an implementation specification in the Access Control standard, this is an “addressable standard” in HIPAA Security Rule parlance, meaning that the Secretary did not mandate encryption. Therefore, covered entities could adopt a method that worked in their environment. This was important to the healthcare provider segment as much of their ePHI resides in a practice management system or electronic health record (EHR) for which the software vendor would have to design encryption. Most systems already contain access controls (unique user ID and password combination, for the most part) so that a provider simply needed to isolate the application behind a firewall to provide an appropriate level of security.

The Secretary’s guidance now says that we must encrypt ePHI to consider it “secured”. That doesn’t change a covered entity’s obligations under the HIPAA Security Rule, meaning that a covered entity is still compliant with the access controls/firewall solution. However, that ePHI is now considered “unsecured” for the purposes of this breach notification, meaning that unauthorized access to the ePHI would create a reportable breach notification event.

The guidance further advises that the decryption tools (encryption algorithm or encryption key) be stored on a system that is physically separate (location and hardware) from the system housing the ePHI. This is akin to not leaving your spare house key under the doormat….

The Secretary goes on to list encryption processes that meet the requirements of the guidance; this is tantamount to providing a covered entity with a bulletproof solution; use one of these correctly and your ePHI will be considered secured. The processes listed are:

Data at rest – NIST Special Publication 800–111, Guide to Storage Encryption Technologies for End User Devices

Data in motion – The Secretary enumerates multiple options:

NIST Special Publication 800–52, Guidelines for the Selection and Use of Transport Layer Security (TLS) Implementations;

NIST Special Publication 800–77, Guide to IPsec VPNs;

NIST Special Publication 800–113, Guide to SSL VPNs; or

Other methods which are Federal Information Processing Standards (FIPS) 140–2 validated

Analysis of these NIST and FIPS documents are well beyond the scope of this blog. Please enjoy all 355 pages at your leisure.

The Secretary also defines “data at rest” and “data in motion” to further clarify the guidance.

“Data at rest” is defined as “data that resides in databases, file systems, flash drives, memory, and any other structured storage method.” By doing this the Secretary incorporates all removable media, laptops, smart phones, CDs, DVDs, etc. (Read the Executive Summary of NIST SP 800-111 (above).)

“Data in motion” is defined as “data that is moving through a network, including wireless transmission, whether by e-mail or structured electronic interchange.”

Destruction

The guidance specifies destruction methodologies for hard copy and soft copy media. For hard copy media, the Secretary specifically mentions shredding and excludes redaction as a secure method. Other approved methods are those that render the PHI destroyed so that it cannot be reconstructed. This, in my opinion, is the final word on manual shredding, which I have long asserted doesn’t render the data destroyed.

The guidance regarding soft copy media relies on the standards set forth in NIST Special Publication 800-88, Guidelines for Media Sanitization (another 42 pages of fun.) This publication acknowledges that successful security of sensitive information may force rebuffed hackers to pursue data outside the secure system, such as on storage media. It is very easy for users to forget that removable media, laptop hard drives, mirrored disk drives, etc. store data that must be securely wiped from the device before re-deploying it or otherwise disposing of it.

Conclusion

The covered entity has to be aware that an inability to encrypt ePHI, while not a violation of the HIPAA Security Rule, leaves the covered entity responsible for providing breach notification in the event of unauthorized access. As mentioned in the prior post, if the PHI is secured (as specified in this guidance) when it is subject to unauthorized access the breach notification provisions do not kick in. Simply encrypting data in the database may not be enough; the covered entity must also encrypt data stored on removable media and data in transit. Because of this, merely adding encryption to the software application or the server itself will not avoid the Breach Notification Rule. See, it isn’t that easy….

Resources

1. Breach Notification for Unsecured Protected Health Information; Interim Final Rule. Published August 24, 2009 at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
2. National Institute of Standards  and Technology, Special Publications (800 Series) at http://www.csrc.nist.gov/publications/PubsSPs.html
3. Federal Information Processing Standards Publications at http://www.itl.nist.gov/fipspubs/by-num.htm

When is a PHI breach not a breach?

By Laura L. Hale

It’s easy to assume that we all know what constitutes a “breach” of protected health information (PHI); the Privacy Rule has been in effect since December 2000 and we have all been dealing with it since. But when do you have to notify a patient of a breach? More specifically, when is a breach not a breach?

The breach notification interim final rule, issued in August by the Secretary of the Department of Health and Human Services (see prior post for more detail), is very specific in describing the steps that a covered entity should take to determine whether a breach has occurred. Timeliness in making this determination is critical as the covered entity has a relatively small window in which to act. This post will focus exclusively on identifying if a breach has occurred; the timing and content of the notice will be addressed in the next post and more information about securing data will be in a subsequent post.

Not-so-subtle changes to the HIPAA Rules

The interim final rule adds a new subpart to Part 164-Security and Privacy (the HIPAA Rules). Subpart D-Notification in the Case of Breach of Unsecured Protected Health Information introduces two new definitions; one defines a breach and provides statutory exceptions and the other defines what constitutes unsecured PHI.

A “breach” is defined as the acquisition, access, use, or disclosure of protected health information in a manner not permitted under Privacy Rule and which compromises the security or privacy of the protected health information. The last clause “which compromises the security or privacy of the protected health information” is critical since a violation of the Privacy Rule that does not put the PHI at risk is not a breach!

Also included with this definition are statutory exceptions. These include 1) the unintentional acquisition, access or use of PHI by a person acting under the authority of the covered entity or business associate; 2) the inadvertent disclosure from one authorized person to another; and, 3) unauthorized disclosure where the recipient cannot reasonably be expected to retain the information.

“Unsecured protected health information” is defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the guidance issued in the interim final rule and periodically updated. Note that if the PHI is not “unsecured PHI”, then no breach occurs.

How to determine whether a reportable breach has occurred

Now that we know that a violation of the Privacy Rule isn’t always a breach, how do we know when it is? The preamble in the interim final rule spells out the steps required to make this determination. Remember: if the PHI wasn’t unsecured, no breach has occurred.

1.  Determine whether the unauthorized use or disclosure may constitute a violation of the Privacy Rule. This may include uses and disclosures beyond the minimum necessary standard but may exclude incidental uses and disclosures if the requisite safeguards are in place. Revisit your basic privacy policies to determine whether the incident constitutes a violation of the Privacy Rule.

2.  Determine whether the violation compromised the security or privacy of the PHI. This requires a risk assessment to ascertain whether the violation “poses a risk of financial, reputational, or other harm to the individual” and should include some or all of the following factors:

• Consider who received the information. If it was another covered entity then the risk to the individual may be small since that covered entity is required to safeguard the PHI. The risk can be further reduced by through mitigation efforts.
• Consider whether the PHI was returned intact. A stolen or misplaced laptop containing PHI may be returned without having been accessed (as determined by a forensic investigation).
• Consider the type and amount of PHI involved. The disclosure of an individual’s name and place of treatment may pose a small risk to the individual. However, disclosure of any sensitive information, such as the type of treatment (e.g., oncology) or the treatment facility (e.g., substance abuse facility) or any information that can be used for identity theft (e.g., social security number) may pose a greater risk to the individual.
• Note: The preamble states that the covered entity or business associate bears the burden of demonstrating that no breach has occurred based on its risk assessment. Therefore, document and retain your risk assessments!

3.  Determine whether the disclosure meets one of the statutory exceptions.

• Unintentional acquisition, access or use of PHI by a workforce member acting under the authority of the covered entity or business associate if it was made in good faith, within the scope of employment or other professional relationship, and does not result in further unauthorized use or disclosure. An example offered in the preamble is one of a billing clerk who receives an email from a clinical staff member in error. The email contains PHI but was intended for another member of the workforce. Provided that the billing clerk does not make any further unauthorized use or disclosure, no breach has occurred. However, a billing clerk who scans through PHI looking for a friend’s treatment information to satisfy a personal curiosity is not acting within the scope of employment and therefore the exception would not apply.
• The inadvertent disclosure from one authorized person to another at the same covered entity or business associate or within an organized health care arrangement. Therefore, covered entities, business associates or organized health care arrangements spanning multiple physical locations can consider the inadvertent disclosure as within the entity even if it crossed those physical locations. An inadvertent disclosure from an authorized person in a Texas facility to one in a New York facility may still qualify as an exception provided that the PHI is not further used or disclosed inappropriately.
• Unauthorized disclosure where the recipient cannot reasonably be expected to retain the information. An example offered is the workforce member who hands paperwork belonging to another person to a patient, then immediately retrieves it before the information can be read or retained.

Conclusion

Potential Privacy Rule violations may not always a require breach notification as outlined in the interim final rule. However, the process of determining this is complex and exacting; don’t leave it to chance to decide who will run through the required analyses when a potential Privacy Rule violation occurs. Develop a policy that spells out who owns the process and how it will be documented. Be sure to address how quickly that individual will have to act since the window for notification is 60 days. The next post will address the question of when the 60-day period begins.

Introduction to the HITECH Act

By Laura L. Hale

What is the HITECH Act?

The American Recovery and Reinvestment Act of 2009 (ARRA) hardly needs any introduction to the American public. Also referred to as the Stimulus Bill, this legislation was the Obama administration’s first salvo against the recession and is therefore of interest to all Americans. However, those of us in the healthcare world are particularly interested in a segment of ARRA known as the HITECH Act.

ARRA consists of Division A, Appropriations Provisions, and Division B, Tax, Unemployment, Health, State Fiscal Relief, and Other Provisions. Title XIII of Division A and Title IV of Division B are given the short title of the “Health Information Technology for Economic and Clinical Health Act” or simply the “HITECH Act”.

The HITECH Act provides incentives for healthcare providers to adopt electronic health records (EHR) in order to improve healthcare quality, safety and efficiency; it also provides for penalties for those who do not adopt EHR. This aspect of the HITECH Act will be addressed in more detail in future postings.

The HITECH Act complements the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in providing a focus on administrative efficiencies and by further  promoting patient privacy and the security of patient protected health information (PHI). Subtitle D of Division A of ARRA is devoted to privacy; one component of the privacy subtitle is a breach notification provision. Other components will be addressed in future postings.

What is the status of the HITECH Act?

The privacy breach notification provision of the HITECH Act requires that the Secretary of the Department of Health and Human Services (“the Secretary”) consult with stakeholders and develop guidance regarding “technologies and methodologies that render protected health information unusable, unreadable or indecipherable to unauthorized individuals” within 60 days of the enactment date of ARRA and related interim final regulations within 180 days of the enactment date.  Accordingly, the Secretary issued the guidance on its website on April 17, 2009 and issued the interim final rule via publication in the Federal Register on August 24, 2009. The guidance was effective upon issuance but applied only to breaches occurring 30 days after publication of the interim final rule.  Therefore the breach notification provisions become enforceable for breaches occurring on or after September 23, 2009.

In order for a provider or hospital to be eligible for the incentives specified in the HITECH Act that entity must employ a “certified” EHR. I will address the certification issue in a subsequent posting. If the EHR is certified then the criteria of meaningful use, electronic exchange and reporting of clinical quality measures come into play. In August the HIT Policy Committee, a Federal Advisory Committee to the Office of the National Coordinator for Health Information Technology (ONC) issued final recommendations to ONC regarding the definition of meaningful use. Stay tuned for a future posting which will delve into the topic of “meaningful use” in a meaningful fashion!

What is required of physician practices under the interim final rule?

Reporting – A practice experiencing a breach (unauthorized access or disclosure) of unsecured PHI may have to provide notice to “affected individuals”.

Risk assessment – Each breach must trigger a risk assessment to determine if the risk poses a significant financial risk, a risk to the individual’s reputation or other harm to the individual. If such a risk is determined, then the notification must occur.

Form of notice – The Secretary has specified the following five elements that must be in the breach notification:

1. A brief description of the breach including the date on which it occurred and the date it was discovered;
2. A description of the types of information involved;
3. Steps the individual should take to protect themselves from harm;
4. A brief description of what steps the provider is taking to investigate the breach, mitigate harm and protect against future breaches: and,
5. Contact information including a toll-free telephone number, email address, website or mail address.

What should a practice administrator do today?

Very simply, take action now regarding the breach notification provisions. Although the effective date is imminent the Secretary has given providers and business associates a six-month reprieve in HHS enforcement activities. That doesn’t mean that providers can sit back and relax during this time; six months will go by quickly and there is a lot of work to do in the interim.

Remember, in addition to the penalties “clarified” in ARRA a provider who experiences a breach of PHI, whether the PHI is within the provider’s control or that of a business associate, faces potential public outcry for such a breach (think of your local television station’s consumer watchdog segment), potentially resulting in damage to the provider’s reputation.

Here’s a quick list of things to do to get you started:

1. Inventory unsecured PHI and either secure it or safely destroy it (check your governing record retention laws, rules and regulations first!)
2. Develop policies and procedures (or enhance existing ones) that address PHI security and breach notification.
3. Train, train, train and train some more! Simply posting new policies doesn’t work. Managers are often so busy they can gloss over new policies or delegate them to a subordinate, diluting their effectiveness or delaying required changes. Your line employees may not feel empowered to make changes, so train them well and open the door for comments during or after training sessions.
4. Put someone in charge of the breach notification process to include the risk assessment then train them well.
5. Consult your regulatory attorney! I’m not a lawyer (as I’ve been told on more than one occasion) and there are other considerations that may come into play, such as your state’s breach notification rules. This is one of those topics that is more trouble than it’s worth until the unspeakable happens – then it’s too late to act.

Take action now – it’s also the right thing to do.

Resources

General ARRA resources:

1. American Recovery and Reinvestment Act of 2009 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=111_cong_bills&docid=f:h1enr.pdf
2. Health Information Technology – a website created by ONC and the Agency for Healthcare Research and Quality to eventually become the centralized repository for all things HIT. Found at http://healthit.hhs.gov

Privacy resources:

1. Epstein Becker & Green Client Alert: The New HIPAA Breach Notification Rules: A Guide for Covered Entities and Business Associates to the Breach Reporting Obligations under the HITECH Act and HHS Regulations. August 27, 2009 at http://www.ebglaw.com/showclientalert.aspx?Show=11683
2. Breach Notification for Unsecured Protected Health Information; Interim Final Rule. Published August 24, 2009 at http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
3. HITECH Act Breach Notification Guidance and Request for Public Comment. Published April 17, 2009 at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/guidance_breachnotice.html (page currently contains a link to the Federal Register for April 27, 2009; the original pre-Federal Register guidance can be found at http://law2point0.com/wordpress/wp-content/uploads/2009/04/hitechrfi1.pdf